Drupal to Release Urgent Core Security Updates on May 20, Sites Told to Prepare
Important Security Update Alert π¨
Drupal has issued an alert stating that it intends to release a core security release for all supported branches on May 20, 2026, from 5-9 p.m. UTC. The Drupal Security Team urges you to reserve time for core updates during this window because exploits might be developed within hours or days.
Key Points:
- Not all configurations are affected.
- Reserve time on May 20 to determine whether your sites need an immediate update.
- Mitigation information will be included in the advisory.
The exact nature of the security issue being addressed is unknown at this stage, but itβs expected to be severe. Patches are expected to be available for the following supported branches of Drupal core: 11.3.x, 11.2.x, 10.6.x, and 10.5.x. Sites on these versions should update to the latest patch release for their branch now in preparation for the security window.
Recommendations:
- Sites on Drupal 11.1 or 11.0 should update to at least Drupal 11.1.9.
- Sites on Drupal 10.4, 10.3, 10.2, 10.1, or 10.0 should update to at least Drupal 10.4.9.
For sites still on end-of-life major core versions, such as Drupal 8 and 9, patch files for Drupal 8.9 and 9.5 will need to be applied manually. However, there is no guarantee that these fixes will work correctly, and they may introduce other issues or regressions.
We strongly recommend that Drupal 8 or 9 sites update to at least Drupal 10.6 soon. Drupal 8 and 9 include numerous other, previously disclosed, security vulnerabilities that will not be addressed by either Drupal Steward or the best-effort patch files.
Action Required:
- Sites on any version of Drupal 9 are advised to update to 9.5.11.
- Those on any version of Drupal 8 should update to Drupal 8.9.20.
Stay safe and ensure your sites are updated! π